XxXC
Background: Know: Netflow, templates, TLV formatting Recognize: This is like TLV formatting, except the values recur in groups (records), so rather than repeat the type and length for each group, they appear once in the template, and then the values appear (data records), saving space. NETFLOW PACKET EXAMPLE On the right side, there is a example of NetFlow packet (Version 9). NetFlow mainly has five different versions including V1, V5, V7, V8 and V9. PART 1: Header a. Version: Version number Version 9 is 0x0009 b. Count: Number of FlowSet records in this packet. In this example, the value is 4 (should be 4 FlowSet), which indicates that only two FlowSets are showed and other two don't draw on this figure. c. System Uptime: Runtime since this device was first booted (ms) d. UNIX Second: Seconds since 0000 Coordinated Universal Time (UTC) 1970 e. Package Sequence: The number of export packets sent by this export device and it is cumulative f. Source ID: It is a 32-bit value and unique in order to distinguish all flows PART 2: Template FlowSet a. Flow Set ID: An unique Flow Set ID (range of 0-255) b. Length: The total length of this FlowSet c. Template ID: An unique Template ID d. Field Count: The number of fields in this template record. In this example, 5 means there are five fields showed below Field 1: IPv4_SRC_ADDR: IPv4 source address (Value=8, Length=4) Field 2: IPv4_DST_ADDR: IPv4 destination address (Value=12, Length=4) Field 3: IPv4_NEXT_HOP: IPv4 address of next-hop router (Value=15, Length=4) Field 4: PKTS_32: Incoming counter with length 32*8 bits for the number of packets associated with an IP Flow Field 5: BYTES_32: Incoming counter with length 32*8 bits for number of bytes associated with an IP Flow PART 3: Data FlowSet a. Flow Set ID = Template ID: It maps to a template ID because the data should match template FlowSet b. Length: In this example, length is 64 bytes (3*(5*4)+4=64, 3 is the number of connections, 5 is each data length, 4 FlowSets each connections, 4 is the ID and length field) The rest of numbers are parameter values corresponding each parameter type and length that are defined at Template FlowSet. Systems usually take a 5-tuple flow as the criterion of Flow record classification including source&destination addresses, source&destination ports and protocol types. Cisco To understand the working of this example , have a look on first example. Net Flow Example : (1) Describes contents related to remote monitoring. (Previous Slide) (2) We have different protocols in order to understand the record of packet flow. (3) One is Net Flow protocol and the other one is Internet protocol fix (IP Fix). Figure Preview In this Figure we will be understanding the working of Net Flow protocol, by using the example of NetFlow version 9 Export Packet. Understanding of this example concludes following facts: (a) Data flow sets & templates can be combined together to form Export Packet. (b) Data flows & templates can be arranged in a non-contiguous way to increase performance. © Template ID : Records a map to Flow Set ID in the corresponding Data Flow Set. (d) Data Record Layout : maps to the fields formats defined in the template record. Note: "Data records are not necessarily preceded by their corresponding template within an export packet". Reference: Cisco IOS NetFlow Version 9 Flow-Record Format, Cisco, February 2007 Category:All